Meltdown and Spectre Security Vulnerabilities -- Deck Chairs on the Titanic
By Duane Thresher, Ph.D.
January 18, 2018
I have a BS in Electrical Engineering and Computer Science
from MIT, among much other relevant education and experience.
Panicking about the Meltdown and Spectre computer security
vulnerabilities is like panicking about the arrangement of the
deck chairs on the Titanic.
The arrangement of the deck chairs on the Titanic was a safety
issue -- theoretically passengers could be blocked by them --
but the actual giant hole in the side of the ship was the much
bigger concern. (For simplicity I won't make the analogy
using the design flaw in the Titanic that actually caused it
to sink -- the bulkheads did not reach high enough and make
The Meltdown and Spectre security vulnerabilities are the big
Information Technology (IT) news recently. These were
announced together but are two separate security
vulnerabilities, similar in that they result from CPU design
flaws ("bugs") at the intersection of electrical engineering
and computer science. I won't go into the technical details
because the media and most of the public does not have the
background to begin to understand them and it's not
These security vulnerabilities are theoretical, not something
found already being exploited in the wild. Finding computer
security vulnerabilities is a serious academic (universities
and other research organizations) competition -- cash bounties
are even paid for them, as they were for
reporting them is a serious journalistic competition.
Reputations are made on finding and on reporting them, the
worse the security vulnerability found, the more prestige.
They even have publicity campaigns that include official
logos, as you can see from the picture accompanying this
Unfortunately, measuring how bad these security vulnerabilities
are has been reduced to how widespread they are -- the CPU
bugs resulting in the Meltdown and Spectre security
vulnerabilities are widespread, affecting many processor
types -- without regard to how easy or likely they are to be
exploited. There is no advantage to the academics and
journalists to take this into account so it isn't.
CPU manufacturers then have to respond -- in the extreme or be
accused of not doing enough -- to the reported security
vulnerabilities to save their reputations, not because they
think the security vulnerabilities are so serious.
Again, the Meltdown and Spectre security vulnerabilities are
theoretical and "discovering" them has been many years in the
making, including numerous academic articles. The actual
"discovery" was just outlining a way these CPU bugs could be
exploited as security vulnerabilities.
It's extremely unlikely your average hacker -- particularly
since your average hacker is a script kiddie, using hacking
programs written by others -- would have ever found these
security vulnerabilities or how to exploit them.
State-sponsored hackers might have been able to, but they know
there are easier more-successful hacking methods; see
(This discovering raises a serious ethical issue. Publically
outlining how to exploit these security vulnerabilities makes
it more likely they will be used in the wild. Academics, who
have a vested interest in arguing so, argue that any security
protection that depends on secrecy is doomed to failure.
However, the best encryption ever invented, RSA, may already
be breakable, by the NSA for instance, but this may be being
kept secret, which is keeping most people protected from the
really bad guys.)
Meanwhile -- and this is the giant hole in the side of the
Titanic -- easy-to-exploit security vulnerabilities that have
been used to hack millions of people, organizations, and whole
countries -- like those in the Equifax hacking -- go
practically unaddressed, even though they could easily be
I'll outline the most successful, thus most used, hacking
techniques, thus security vulnerabilities.
Humans are computers' biggest and eternal security
vulnerability and social engineering is the general hacking
technique that takes advantage of this. Spear phishing is a
specific technique that has been used with great success by
Russian and Chinese state-sponsored hackers.
In spear phishing, a hacker learns personal details about
certain people on the organization's computer system he is
trying to hack and pretends to be one of these people to
another of these people in an email in order to change
passwords. The personal details have been foolishly provided
by the people in social media like Facebook and act as proof
of identity, like the ubiquitous account security questions
("What is your dog's name?"). For example:
To: Alice [a secretary who can change passwords or have them changed]
From: Bob [an executive; the actual email address is disguised]
Subject: Urgent - change my password
How was Eve's [Alice's daughter] birthday party yesterday?
As you know, I am at a conference. I need to log in to get
some important information for my talk. But with all the
stress I have forgotten my password. Please change my
password to "Corky7" ASAP [nice touch, Corky is Bob's dog and
adding a number is good password creation].
Alice foolishly falls for this, and the hacker has logged in,
stolen all the confidential/classified information, made a
backdoor, and covered his tracks before it is discovered, if
The Web was not designed for what it is used for today so it
inherently has security vulnerabilities and hacking web apps
is another top general hacking technique. In fact, the recent
Equifax hacking -- considered to be the worst ever -- used
this technique. This was not to exploit a previously-unknown
("zero-day") security vulnerability, which might seem
forgivable (it really isn't). No, there was a patch for the
security vulnerability available two months before the hacking
but it was stupidly not applied.
Hacks Its Own Customers
for another specific web hacking
technique. By the way, GoDaddy should pay me a cash bounty
for pointing out a security vulnerability.)
As you should see from the preceding cases and as is the
actuality, IT incompetence is the root cause of the worst and
most hackings. Panicking about theoretical complex security
vulnerabilities while ignoring this is like panicking about
the arrangement of deck chairs on the Titanic.
IT incompetence at all levels is rampant and causing vast
damage. See Apscitu's Stop IT Incompetence
website for a more complete discussion of IT incompetence.
Apscitu's mission is to stop IT incompetence to the highest
levels of government and business.